"This is an exciting product. Let's send out information about this to all previous customers!" A spirited marketing idea that many of us probably recognize.
But the guidelines of the responsible authorities are clear: Personal data may only be collected for "specific, explicit and legitimate purposes". This means that in each project we need to be clear about why, to what and for how long we should process personal data.
In addition, the objectives must be specific and concrete, not vague or unclear. It’s not enough that the aim is solely to "improve the user experience", "cyber security" or "future research". It’s too broadly expressed, and the data subjects cannot assess what such personal data processing may entail. It’s also not enough to specify "controls" as the purpose of logging and monitoring, but also to indicate the purpose of the control.
The purpose must also be justified. This means that the processing of personal data must have a legal basis in the General Data Protection Regulation and must be carried out in accordance with other applicable legislation and general legal principles.
Process collected personal data in new ways?
Of course, it’s difficult to think of all possible scenarios at the beginning of a project where personal data is collected. Often, needs appear that were difficult to predict.
If the new needs fit within the original purposes, it’s sufficient to inform the data subjects about the new personal data processing before it begins.
If, on the other hand, it’s a question of using the personal data in a new way, a new consent to personal data processing has to be given. Then we have to start from scratch and find a legal basis for the processing of personal data, making sure that it takes place in accordance with the basic principles and so on...
After five years with GDPR, this is something that we really should know, but often still forget.
We have now launched the 2023 version of GDPR and Privacy Protection where we use NanoLearning as a method to create awareness every day of the year. Because in the end, functioning privacy protection also depends on us as users actually thinking and acting with the protection of personal privacy as part of our business. That we carefully formulate the purposes of collecting personal data. And that we are clear in our communication.